Introduction

The ransomware called Ryuk has established ransomware as a lucrative enterprise product. This sentence may sound provocative, as it is treating cybercriminals like businesspeople, but this is what Ryuk is about — making money. This strain of ransomware is estimated by Crowdstrike to have made the gang behind it over $3.7 million USD since its entry into the wild in August 2018.

Ryuk and its ransomware compatriots don’t just end in lost money and encrypted files. They also have a personal cost. Lake City, Florida, was a recent victim of the Ryuk ransomware, and the city ended up paying the $460,000 ransom. The IT Director of Lake City, Brian Hawkins, was sacked as part of the fallout from the attack — even though he had done everything in his power to prevent the infection.

So who is behind Ryuk, how does it work and how can it be stopped?

Security Awareness

Who is behind Ryuk?

According to an FBI notification, Ryuk ransomware has been found in over 100 international government and enterprise institutions. The cybercriminals behind Ryuk are following the money as they choose targets likely to have high revenues and high profiles, the hope being that they will pay up to keep the business running.

The hacking group behind Ryuk is believed to be the aptly named GRIM SPIDER. This conclusion was evidenced by CrowdStrike, with GRIM SPIDER being a cell of the larger Russian group WIZARD SPIDER. This latter group is also behind the Trojan Trickbot which, as we will see, is intrinsically linked to some Ryuk infections.

The trick in the tail

Ryuk is a tricky proposition. It uses cybercrime’s favorite technique: stealth. It can lurk in the target network for months, even up to a year according to an analysis by Crowdstrike. To do this, it works by piggybacking the Trojans Trickbot or Emotet (or both), which act as a dropper for the Ryuk payload. The time spent in stealth mode is believed to be for surveillance, in order to understand critical areas of a network that can be used to optimize the impact of the ransomware.

The infection appears to be a multi-part, complex dance of dropper Trojan(s), surveillance and ransomware infection. If you have a Ryuk infection, chances are you have already been infected with Emotet, Trickbot or both.

However, nothing is straightforward in the world of Ryuk. According to the FBI, some infections have been the result of unsecured or applied brute force against Remote Desktop Protocols (RDPs) to gain access. Again, even this can be part of a multi-part exploit involving lateral attacks.

A post-infection analysis of Ryuk often turns up a chain of infection. This chain typically begins with Emotet, which in turns drops Trickbot. The Trojans are then used to deploy post-infection tools such as Mimikatz and PowerShell Empire modules.

These tools act as a post-exploitation framework. Empire, for example, can be used to run PowerShell agents and can deploy keyloggers; Mimikatz can be used to steal administrator credentials and create persistent backdoors.

Once ensconced in an organization, these post-exploitation tools create the perfect backdrop for infection with the money-maker, Ryuk. And, of course, the setup can be sold to the highest bidder on a darknet marketplace to exploit further.

The exploit itself needs to then be carefully orchestrated. The Ryuk ransomware typically encrypts files using the standard encryption algorithm AES-256. The ransom note left as part of the attack, “RyukReadMe,” contains two private email addresses which must be used to make contact. Although some early infections demanded a set amount, later infections waited for contact to be made before the demand was set. This is perhaps a useful tactic, as the attackers might be able to negotiate a higher ransom price.

There is the usual promise of a “decryptor” if the ransom is paid, and sample decrypted files are offered as proof of purchase.

Payment is, of course, in bitcoin, to avoid detection. The bitcoin wallet address is given out with the ransom note.

Mitigation for Ryuk

The best tactic for dealing with Ryuk is avoidance. However, the following are useful in defending your organization against Ryuk infection.

  • Check out MITRE ATT&CK for advisories on the indicators of compromise (IoC) and mitigation methods for the attack, covering the likes of TrickBot and PowerShell
  • Make sure all staff have been through security awareness training to be able spot any tell-tale signs of malware infection and phishing attempts
  • Perform regular system backups scans to check registry persistence (although some builds of Ryuk may not maintain persistence)
  • Use off-site, secure backups and scan regularly for signs of a malware infection
  • Use multi-factor authentication (MFA) wherever supported
  • Keep devices and software up to date
  • Use network segmentation to reduce the impact of an infection
  • Use a next-gen anti-malware product

Conclusion

Ryuk, apparently, means “Gift of God.” This devilish offering is an unwanted gift you need to send back.

Ryuk and its perpetrators should not be underestimated. This is no kid in a hoodie playing with malware. The execution of Ryuk requires a sophisticated mix of delivery and communication to extort the ransom.

Various experts are suggesting that we have not seen the last of Ryuk. Something so lucrative is likely to be continued among the cybercriminal fraternity. However, as always, it will morph and evolve, and in doing so, help to hide itself from detection and make itself even more effective.

 

Sources

  1. Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware, Crowdstrike
  2. Ransomware Fall-Out of Lake City, Florida, WatchPoint
  3. Indicators of Compromise Associated with Ryuk Ransomware, FBI Flash
  4. GRIM SPIDER, Malpedia
  5. POST-EXPLOITATION WITH POWERSHELL EMPIRE 2.0, Ethical Hacking Blog
  6. TrickBot, MITRE
  7. PowerShell, MITRE